A key manufacturing site for the National Nuclear Security Administration (NNSA) has been breached by a foreign actor, who gained access by exploiting vulnerabilities within Microsoft SharePoint. The two vulnerabilities were assigned a CVSS of 9.8 and 8.8, putting them in the Critical and High categories respectively.
The manufacturing plant in question produces critical non-nuclear components for US nuclear weapons. The site is run by Honeywell Federal Manufacturing & Technologies (FM&T), under a contract from the Department of Energy (DOE). It is one of eight NNSA sites, where 80% of non-nuclear components are manufactured.
The site is used to engineer material components and carry out metallurgical analysis, analytical chemistry environmental testing, and simulation modelling.
How The Attack Worked
In this case, the attackers exploited two recently disclosed Microsoft vulnerabilities – CVE-2025-53770 and CVE-2025-49704. While Microsoft provided a patch for both of these vulnerabilities on July 19, the NNSA announced that it had fallen victim to the exploit the day before the patches became available.
“On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy,” the DOE explained.
The initial vulnerabilities were a spoofing flaw and an RCE bug, both of which affected on-premises Microsoft servers. NIST explained that CVE-2025-53770 allowed the “Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild.”
According to the DOE, the fact that the vulnerabilities affected on-prem servers limited the impact of the breach.
“The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable security system,” they explained.
Who Is To Blame?
At the time, Microsoft linked the initial vulnerabilities to Chinese groups; Linen Typhoon, Violet Typhoon and Storm-2603. The suggestion is backed up by cyber research group Resecurity who say that their monitoring of the SharePoint exploitation point towards Chinese nation-state groups. However, they go on to say that they cannot rule out Russian involvement.
Yes, Chinese groups may have been responsible for identifying the vulnerability, but that does not mean that they were the only ones who could exploit it.
The Impact
An NNSA spokesperson explained that “At this time, we know of no sensitive or classified information that was compromised.” While this information is, of course, reassuring, it does not entirely allay fears. Any breach is an issue. Particularly one affecting a secure industry.
The attackers may have been able to access information that wasn’t sensitive, which could be added to an intelligence vault, helping hostile foreign actors to build an intelligence picture. A breach that does not exfiltrate data may also act as an entry point where the malicious actor can expand laterally. While there is currently no indication that the attackers were able to do so, it acts as a reminder that there is no such thing as a “safe breach.”
In a blog, Microsoft recommended that customers “use supported versions of on-premises SharePoint servers with the latest security updates. To stop unauthenticated attacks from exploiting this vulnerability, customers should also integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode”
